Github Intentionally Lets You Read Deleted & Private Commits
ฝัง
- เผยแพร่เมื่อ 9 ต.ค. 2024
- jh.live/snyk || Try Snyk for free and find vulnerabilities in your code and applications! ➡ jh.live/snyk
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricet...
Learn Coding: jh.live/codecr...
Don't listen to other "influencer" VPN crap -- host YOUR OWN: jh.live/openvpn
WATCH MORE:
Dark Web & Cybercrime Investigations: • Tracking Cybercrime on...
Malware & Hacker Tradecraft: • Malware Analysis & Thr...
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥TH-cam ALGORITHM ➡ Like, Comment, & Subscribe!
I wonder what the implications to the DMCA this has. Example: I fork a major public repo and commit copyrighted code/writing to my forked copy... Say I commit the first Harry Potter novel.. My repo gets hit with a DMCA takedown request, so it gets deleted (because legally, it has to be). Now I can just post the hash and anyone can visit it? I ASSUME github can manually delete the commit "for real" in a case like this, but I'm curious. It'd have to be removed from the parent repo right? And other forks?
When a repo gets hit with a DMCA it disappears all its forks too iirc.
That's a nice exploit you're suggesting
was thinking the same thing but with distributing files, or kill switch in case of c2
Github security is totally forked 😂
😂 I know right, good content, shite info IMO
Na ahh they are fixing it stop telling this to everyone😢
@@tpevers1048 fixing? this has been easy to do for years the only reason they "fixing" it is cos of the attention it is getting. You really think it's going to be fixed you're kidding ya self
3:36: [discord notfication sound]
I legit thought it was my discord, but since I couldn't find any evidence there I replayed that bit of the video to confirm. lol
3 of them this video lmfao
you could also clone the repo and filter any commit that is normally public so it doesn't hit the api always
The next question is does this work for DMCAed repos?
If you know the commit hash, then yes.
GitHub could be much more proactive with the rate limiting in various ways, thus lowering the risk of discovery. This is also a "can I find a way to steal *that* car" vs. "can I find a way to steal *a* car" situation, which is context dependent.
It's a cat and mouse game. If there's a rate limit on each ip, just get a couple of systems, maybe rent them, and increase the scanning speed that way
I always recommend hosting your own git server with SSH keys for auth specifically for private repos.
3 total discord sounds heard lol. Love your videos!
dude, that's crazy.
you gotta turn off your discord notification sounds when you record 😆
this is common. you delete something and it doesnt get deleted. just your access to it is removed.
meta and google both do the same too :(
It's called soft delete, try to learn a thing or 2 about it, and you'll learn why most of companies are doing it.
concerning, indeed.
So if you somehow found a sensitive information from some company in github, you can fork the repo, and still can access the information even the original repo is deleted 😂their IT security would cry for this
so if someone forks a public repo then makes it private, are those commits accessible from the public upstream one? 🤔
Is this related to github only? What's about Gitlab?
SHA1 isn't actually long so brute forcing a repo with X amounts of proxies/VPN is still viable and there are a lot of VPN and proxies available on the internet 😅
Yeah it'll be slow but it will in the end successfully gain access to viable data.
would it be possible to use google dorking to find these or would they not really be picked up??
just tried but could only find people talking about related issues, POC code and people talking about it lol.
maybe somebody else might have better luck
Why not count from 0 to 65535 in hexadecimal it will be between 0x0000 FFFF which will include the whole range. am i missing something here ?
This is exactly what Itertools.Product() does, but instead:
0x0000
0x0001
...
0xfff
you will get (if used with JH sequence):
0xaaaa
0xaaab
...
0xaaa1
0xaaa2
..
0xfff0
..
0xffff
if you want 0000 to ffff, initial chars = '0123456789abcdef'.. Ok, performance wise maybe hex+1 is faster, but it's so minimal difference.. Slowest operation here is request, and if you want flexibility (like you know initial hash for sure not have 0 in it) Itertools is way better
Dam, you made me look.. on 4 chars there is no difference, results in both cases comes in like 0.005s.. But if we increase it to 6 chars, hex+1 is ~20% faster, but again we are talking like 2.5s vs 2s for generation (these results using online compiler, so on real pc they probably are even lower)
So just to make sure i'm understanding this correctly, if someone forks a public repo for themselves, makes it private, edits some stuff and deletes it, the original repo can still see that as long as you know the git commit hash?
I don’t think you can technically make a private fork of a public repo, they won’t let you
@@zacadoole1 Seems like you're right. you can only fork them publicly and can't edit them to be private once they're made so that's good to know.
Yer this is old news, but should be mentioned/referenced on the page
If you are going to shill other people's work please link it in the description, it's the least you can do
😮 ✋️ I have so much to learn. 😊 ty
Bro is two months late
More like C4! 💥💥💥
her name is Amber.
Wow this is atleast P1 if not P0 level thing
Now i know why openai is now not interested in issuing api keys to me. Why github whyyyyyyy😢
WTF
Oopsie 😂 what could go wrong 😅
🏦🏦🏦🏦🏦🏦🏦🏦🏦👌😏🤗🙌🙌🙌🙌🙌🙌🙌 Thank you Thank you my friend and well wisher Hare Krsna Allah!!!
Interesting 👌